TLS 1.2 or later required by December 31, 2018
Remote-Learner has made several changes over the past several years to increase the security of your site’s data for the protection of you and your users. Our hosting services encrypts your site data to ensure that it is safe while being stored. We install HTTPS certificates on every one of our hosts to allow information to be encrypted as it is sent to and received from site users and have encouraged use of HTTPS. As time has progressed, threats to data security have increased and internet technologies have adapted by improving ways that data is secured.
On January 1, 2019, Remote-Learner will make changes to this end, and remove support for the outdated TLS 1.0 and 1.1 communication protocols and deploy HSTS to help ensure all site traffic is encrypted. What follows is a list of questions and answers that we hope you will find useful in understanding and discussing these changes with your internal stakeholders.
What is TLS?
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification.
Why is TLS 1.0 being disabled? Why is TLS 1.1 being disabled?
TLS 1.0 was defined in 1999 and several vulnerabilities have been discovered over the past several years, which prompted improved standards.
TLS 1.1 was released in 2006 and is less vulnerable than TLS 1.0, but organizations which set standards for internet security highly recommend that sites move to only supporting TLS 1.2 and later, which is widely supported and is the current standard, at this time. There is also little to be gained by TLS 1.1 support, as nearly all user agents which support it also support the more secure TLS 1.2. (A user agent is software which interacts with your site: typically a browser or API automation.)
What will be the impact of TLS 1.0 & TLS 1.1 disablement?
Any inbound connections to or outbound connections from your site that rely on TLS 1.0 or TLS 1.1 will fail. API integrations will cease to work if they are not compatible with TLS 1.2 or later. This includes .NET-based integrations that send requests and are not enabled with TLS 1.2 or later.
This change will not require downtime of your site, but may impact old user agents.
What is HSTS?
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should interact with it using only secure HTTPS connections, and never via the insecure HTTP protocol.
What will be the impact of HSTS?
Your site already redirects users to a secure HTTPS connection. With HSTS most browsers will remember this and automatically use HSTS when additional requests are made over the insecure HTTP protocol.
How can I help my users prepare for this change?
Major browsers have supported TLS 1.2 for several years and many websites have already disabled older versions of TLS, so many users will have already updated.
|First TLS 1.2 compatible version||TLS 1.2 compatible release date|
|Chrome 30 (Desktop & mobile)||OCT-2013|
|Safari 7 (Desktop)||OCT-2013|
|Safari 5 (iOS)||OCT-2011|
|Microsoft IE 11 & Edge (all versions)||JUL-2015|
A more comprehensive list of user agents which support TLS 1.2 is available at https://www.ssllabs.com/ssltest/clients.html and https://www.ssllabs.com/ssltest/viewMyClient.html will tell you if your current browser supports TLS 1.2. We recommend, however, that you simply ask users to visit https://whatbrowser.org to ensure that they are running the most recent version of their respective browser in preparation for the TLS changes.
If you use integrations or web service calls you may need to contact the parties which oversee these things and ask them to ensure that they are supporting at least TLS 1.2.
Special communication about HSTS is likely unnecessary, as HSTS simply tells their browser to only attempt to connect to the site securely. If you make API calls to your server, however, you should ensure they are using HTTPS protocol instead of HTTP.
What happens to TLS 1.0 or TLS 1.1 connection attempts after December 31?
The server will not serve content to browsers or user agents which do not support 1.2 or later after this time. The message delivered to the user agent will vary based on the software, but the page will not load if the user agent does not support a minimum of TLS 1.2.
What if we need these changes made before December 31?
Downtime is not necessary for this change, and if you have a requirement to have TLS 1.0 & 1.1 support removed and have HSTS enabled earlier than January 1st please enter a support ticket to schedule the change at https://support.remote-learner.com.
Remote-Learner US, Inc.
1550 Larimer Street, Suite 785
Denver, CO 80202 USA
Remote-Learner Canada, Inc.
180 Northfield Drive West, Suite 4
Waterloo, ON N2L 0C7